On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <[email protected]> wrote:
> ooh, now ZK has interesting and complicated security. I spent more time > writing the kerberos ZK tests for the yarn registry than most of the > registry code itself, from which I came out with > -a fear of kerberos > Kerberophobia? > -a fear of its error messages > -not enough understanding of how ZK security works. > > > > > On 5 Jun 2015, at 16:16, Lei Guo <[email protected]> wrote: > > > > We are trying to use Slider to manage HBase in an environment with > secured zookeeper (Kerberos). Seems there are some issues around both AM > and agent. For example, the kazoo library embedded does not support > Kerberos credential. > > > > > > > Just want to confirm that secured Zookeeper is not supported yet. > > > > it should be. > > The registry can be set up to be world readable, and writeable only by the > user who is starting the jobs > > http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html > > if your hadoop installation has YARN-2571 applied, this is done > automatically for you by the RM. I managed to get this into HDP 2.2, but > it's not in ASF Hadoop (one of the few differences) > > without that, there is a way from the command line to give a user > permissions (and only that user). > > Once the registry is setup, the AM will update its path under > /users/${USERNAME} with > -the URL used by the agents to find the AM > -any bindings the applications publish > > There's also a bit of ZK code in the slider client which creates a > zookeeper path for an HBase cluster, under > /services/slider/users/${USERNAME}/${CLUSTERNAME} > > I think that's the bit most likely to break on a secure ZK cluster, unless > you set up /services/slider/users/${USERNAME} to be writeable by that user. > > Does this help? If not, we'll do what we can to get this to work. It > should work on a secure ZK cluster > >
